Vulnerabilities found in Qualcomm chips could leave 900 million Android devices open to attack

Security researchers have discovered serious flaws in Android phones and tablets with Qualcomm chips that could allow hackers to take control of a device.

Researchers at Checkpoint Security discovered that the four vulnerabilities, collectively named “Quadrooter,” could affect the 900 million Android devices worldwide that use Qualcomm's hardware. And while there is no evidence that they have been used in attacks, the company believes it is only a matter of time before it happens.

"I'm pretty sure you will see these vulnerabilities being used in the next three to four months," said Michael Shaulov, head of mobility product management at Checkpoint.

The company listed some of the impacted devices, though far more will be affected

BlackBerry Priv and Dtek50

Blackphone 1 and Blackphone 2

Google Nexus 5X, Nexus 6 and Nexus 6P

HTC One, HTC M9 and HTC 10

LG G4, LG G5, and LG V10

New Moto X by Motorola

OnePlus One, OnePlus 2 and OnePlus 3

US versions of the Samsung Galaxy S7 and Samsung S7 Edge

Sony Xperia Z Ultra

An attack requires a user to install a piece of malware sent to them, but it could also be executed via a malicious app, which wouldn’t require any special permissions. "Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing," wrote Checkpoint researchers.

The flaws lie in Qualcomm's GPU drivers and kernel module. Should they be exploited, an attacker can gain root access, thereby giving them control of a device and access to its data.

Qualcomm said it has created patches for the vulnerabilities and started to use the fixed versions in its factories. It has also issued patches to customers, operators, and partners.

Three of the flaws were fixed in Google’s latest set of monthly security updates, with the remaining patch set to roll out in the September update.

Checkpoint has released a free QuadRooter Scanner app, which lets users know if a device is vulnerable by checking if the patches have been downloaded and installed.

As always, the rule here is not to open files sent by people you don’t know – and be careful even when the messages appear to originate from friends. Also, don’t install apps from outside the official Google Play Store.